The invention relates to an algorithm used in subscriber authentication in a mobile communication system, and particularly to an authentication response used in subscriber authentication.
The mobile communication system generally refers to any telecommunications system which enables wireless communication when users roam within the service area of the system. The public land mobile network PLMN is a typical example of a mobile communication system.
In mobile communication systems, mobile stations and the actual network usually communicate via radio paths. A radio path is physically open, which causes security risks and therefore both the users and the operator should be protected against intrusion by a third party, whether intrusion is unintentional or not. For example, illegal access to the network is prevented so that the network authenticates a mobile station when it registers with the network. The risk of eavesdropping is reduced by using encryption.
Authentication is a procedure in which one party authenticates the other party according to an agreed procedure. In the pan-European mobile communication system GSM (Global System for Mobile communications), for example, the algorithms to be used in authentication and the subscriber's key Ki are stored both in the subscriber identity module SIM and in the authentication center for authentication. In the GSM system the authentication response SRES to be used in authentication is calculated using algorithm A3 and the key Ks to be used in encryption of the information to be transmitted over the radio path with algorithm A8. Typically these algorithms are combined so that both the authentication response SRES and the encryption key Kc are calculated during authentication. Algorithms A3 and A8 are operator-specific, proprietary and typically secret. The random number generator in the authentication center generates a challenge RAND which is transmitted to a mobile station over the radio path during authentication. The challenge RAND and the subscriber key Ki are used for calculating the authentication response SRES and the encryption key Kc both in the authentication center and in the mobile station. During authentication the mobile station sends the authentication response SRES calculated by it back to the network where it is compared with the authentication response calculated by the authentication center. If the responses are identical, the mobile station passes authentication, after which the information to be transmitted on the radio path is usually encrypted with an encryption key Kc.
The problem related to the authentication procedure described above is that operator-specific customization is not possible. Neither can the algorithms be revealed to different operators, for example, without at the same time giving the operator a chance of interfering with the authentication system of another operator. Thus the security of the system cannot be guaranteed, either.